Information security truisms: 2017 was the year of more cybersecurity - more attacks, more spending, more defenses, more breaches - and 2018 will see more of everything "cyber."
Absent a crystal ball, those remain surefire cybersecurity predictions, driven by the outsize profits available to online attackers, the relatively low risk of launching remote attacks, the explosion of digitization and the connection of more types of devices to the internet - but not necessarily in a secure manner.
Here's more about what to expect in 2018.
1. More Big, Bad Breaches
As in previous years, 2017 saw a number of big, bad breaches or breach investigation results, some of which pertained to historical mega-breaches.
On the shortlist so far for some of the worst breaches or breach updates to come to light this past year:
Equifax: Lost 143 million U.S. consumers' personal details after it failed to patch a web portal (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
Yahoo: Revised its December 2016 estimate that 1 billion accounts were compromised in a 2013 breach to 3 billion accounts, or its entire user base (see Former Yahoo CEO: Stronger Defense Couldn't Stop Breaches).
Uber: Concealed a breach pertaining to 57 million drivers and riders for a year (see Report: Uber Paid Florida 20-Year-Old $100,000 Over Hack).
"I don't think this was a good year for dirty laundry," says Tom Kellerman, CEO at cybersecurity venture capital firm Strategic Cyber Ventures. He expects yet more breach cover-ups to come to light in 2018.
Australian data breach expert Troy Hunt also says we'll continue to see even more big, bad breaches (see Senators Again Propose National Breach Notification Law).
"We're not retiring systems at the rate we're creating them, so we have a larger attack surface," Hunt says. "When you see the likes of the Pentagon and the NSA [U.S. National Security Agency] accidentally publishing things to Amazon S3 buckets, you think, what hope is there for the rest of us?"
2. More Poor Security Practices
Brian Honan, president of BH Consulting in Dublin, says that for the past eight years, he's opened the Irish Reporting and Information Security Service's IRISSCON annual Cybercrime Conference in Dublin by calling out these five themes:
Lack of patching;
Out-of-date anti-virus software;
Lack of monitoring;
and Using vulnerable and old systems, such as ColdFusion, Windows XP, outdated WordPress and the like.
He predicts his themes will be the same for 2018, compounded by organizations continuing to use outdated technology.
3. More Endpoint Security Woes
One of the biggest outbreaks of 2017 was the May WannaCry ransomware attack (see Trump Administration: 'North Korea Launched WannaCry').
"WannaCry could have been prevented if people just patched," says Avivah Litan, vice president and distinguished analyst at Gartner. But organizations remain challenged by patch management. "Endpoint security is different than IT management," she says. Meaning that while it's easy to roll systems out, it's tough to take systems offline for maintenance or prioritize what needs to be patched.
The result is that there are a massive number of systems that have well-known vulnerabilities. No wonder that "80 to 90 percent of ransomware uses common vulnerabilities," Litan says.
To help, she says all organizations should be using the "latest and greatest" anti-virus software, because the latest generations include much better detection and response capabilities especially for any product that's tied to the cloud. "They'll see the most benefits," she says.
4. More Takedowns
2017 saw a number of notable takedowns by law enforcement agencies in the United States and Europe. "This [was] an amazing year for law enforcement in general because of their takedowns and arrests," Kellermann at Strategic Cyber Ventures says (see Police Bust Five Ransomware Suspects in Romania).
With increased sharing of information - via so-called police-led intelligence - security experts say 2018 will hopefully see even more such takedowns.
5. More Bitcoin Heists
While cryptocurrency values might remain in flux, in recent weeks the value of a bitcoin has been surging.
Cue continuing interest from criminals and cash-strapped nation-state attackers, with North Korea remaining a major culprit as it seeks to deal with continuing sanctions over its missile and nuclear programs. "A third of its GDP is projected to come from hacking," says Cybereason CISO Sam Curry (see Cybercriminals Go Cryptocurrency Crazy: 9 Factors).
"There are at least four very advanced threat actor groups who have been attacking banks in recent years, and about a month ago, they just dropped their activities and moved over to bitcoin hacking," says Gartner's Litan, citing information she's received from threat intelligence firms (see Lazarus Hackers Phish For Bitcoins, Researchers Warn).
Stealing bitcoins gives attackers a way to generate cash. If they hold onto the cryptocurrency and it rise in value, furthermore, they have even more return on their hacking investment.
"Economic sanctions in the real world" against Russian and North Korean individuals and organizations "are being offset by cyberattacks," Kellermann says. "It's high time that we pay attention to the money," he adds, including how and where it flows.
6. More Extortion Shakedowns
Experts predict that attackers will continue to double down on ransomware and other attacks that involve shaking down victims to amass cryptocurrency.
"The combination of the spreading use of computer and information devices, including through IoT and for all parts of our businesses, aligned with the now common availability of anonymous payment mechanisms, has enabled the growth of cyber extortion at scale," says Philip Reitinger, president and CEO of the Global Cyber Alliance, which is focused on eradicating systemic cybersecurity risks.
As outbreaks such as WannaCry have demonstrated, just one strain of malware can have devastating repercussions. "When a single piece of malware can threaten thousands or millions of businesses with a single click, every business is a target for extortion," Reitinger says.
7. Online Proxy Wars
"I'm really worried about nation-states fighting their proxy wars using cyber," says Art Coviello, the former RSA executive chairman who's now a venture partner at Rally Ventures, an investment firm in Silicon Valley.
"Unfortunately, you are going to see a big investment in cyber weaponry, certainly in the United States," Coviello says. "We're living in the biggest digital glass house on the planet with the greatest attack surface. So in our case, the best defense is the most powerful offense. We need to discourage attackers. But I worry that we will be in a never ending cyber arms race."
There are increasing signs that countries are investing in online attack capabilities. For example, the U.K. Parliament's Intelligence and Security Committee recently released its annual report, which touches on the country's increased investment in "offensive cyber capability."
The report notes: "There has been a wide spectrum of successes."
Coviello's concerns about proxy wars fought online are not an outlier. "I'm tremendously concerned with the dramatic increase in capability from North Korea and Iran, both of which have the resolve to do massive damage and who you would consider in cyberspace to be irrational actors," Kellermann says.
8. Market Consolidation
Many information security industry watchers expect to see plenty of mergers and acquisitions in 2018.
"I see lots of consolidation in the coming year; I think most companies are overvalued," says Kellermann. "You're going to see dramatic plays in IoT security and a repositioning of many cybersecurity companies as a platform."
In theory at least, these platforms should combine disparate technology offerings in a way that makes them easier to manage.
9. More EU Breach Notifications
The EU's General Data Protection Regulation, which is now in force, won't be enforced until May 2018. It represents a major improvement to Europe's data protection laws, demanding transparency in how organizations use personal information.
Under GDPR, organizations must inform authorities within 72 hours of learning that they may have been breached. They must also stop using personal information upon request, unless they have a valid business reason for continuing to do so.
"I expect with GDPR we'll see a huge focus in how to handle and manage security breaches," says BH Consulting's Honan, who advises the EU's law enforcement intelligence agency, Europol, on cybersecurity matters (see GDPR: Distinguishing Fact From Fiction). "If you're a business that already practices good privacy and data protection measures, complying with GDPR is not going to be a huge jump."
10. GDPR Fines
EU privacy watchdogs will have the ability to impose fines of up to 4 percent of a company's global annual profits, or €20 million ($23.5 million) - whichever is greater - on organizations or individuals who violate GDPR. Compliance experts say these fines aren't meant to be punitive, and they expect that the most severe fines would be reserved for organizations that not only failed to invest in proper information security practices but actively covered up breaches or engaged in other illegal behavior.
"GDPR is going to prove a quick flash of fear, much as any new regulation does," Cybereason's Curry says. "CISOs should not let a good crisis go to waste, but I don't think it's going to change things much. They may get some more budget but then things will return to normal ... unless fines start."